By Ewen O’Brien, VP of Enterprise, EMEA at BitSight
Data breaches are never far from the news. Some headlines have even suggested that they’ve become the “new normal.” And while we haven’t seen a wide-scale attack since WannaCry was unleashed two years ago, a recent turn of events suggests that the perfect cyber storm may be brewing.
A few weeks ago, away from the attention-grabbing headlines about big breaches and data compromise, an unusually high number of technology giants experienced what some have called “a cyber week from hell.” Multiple severe and exploitable flaws were discovered in the hardware and software systems of Adobe, Cisco, Facebook, Microsoft, Intel, and WhatsApp.
The sheer scale of this cyber storm has massive cyber risk management ramifications for any organisation. Today’s vulnerabilities and unpatched systems can be tomorrow’s – or even this afternoon’s – next malware target. And when the systems that underpin the world’s business networking and IT infrastructures are at risk, threat actors take notice.
By now, several of the flaws are being exploited. Furthermore, at the time of writing, fixes for many of the vulnerabilities that have been uncovered are still not available. When these patches do come, they’ll likely arrive in a deluge. It’s a CISO’s nightmare. Overwhelmed security teams must rush to apply these patches while maintaining system uptime and ensuring continuity of business operations.
What about the risk beyond your four walls?
But internal patching is not the only concern. CISOs are also responsible for ensuring that strong security policies, procedures, and postures extend beyond the four walls of their businesses and across their supply chains – and with good reason. A recent study showed that 70% of organisations rely heavily on third-party vendors and 59% of breaches originate with those third parties.
In light of recent events, it’s imperative that companies ensure that their vendors are aware of the potential risks and are taking steps to mitigate their exposure. Traditionally, this process would involve a third-party security risk audit often taking the form of a vendor check-in to assess what’s changed and identify areas of risk.
Unfortunately, instituting and managing a third-party audit can be a cumbersome and problematic process. To comply with an audit, each vendor must complete a lengthy questionnaire that gets into the nuts and bolts of their security policies, vulnerabilities, patching history, certifications, and more.
Then, there is the problem of timing. An audit won’t tell you what’s going on during the days when you aren’t performing an assessment – it simply shines a spotlight on a moment in time. Plus, how can you be sure that your vendor has completed the form accurately?
A turning point in cyber risk management
The cyber week from hell indicates that we’ve arrived at a turning point. The threat landscape is evolving at a rapid pace and there aren’t enough hours in the day to conduct lengthy audits across your supply chain, sift through binders of questionnaires, and try to glean insight into your vendor’s ecosystem. With so many flaws and vulnerabilities exposed, organisations need a more agile and automated way to bolster security, adapt to threats, and monitor the security performance of their vendors.
A comprehensive third-party risk management programme can help you gain visibility into the quantitative risk posed by third-party vendors so you can make risk decisions much faster. This can help expose cyber risk within your supply chain, share insights and better focus your resources at vendors who have the highest risk levels so you can advise them on how to increase their security postures, and continuously assess and measure security ratings in real-time.
Communicate your commitment to security excellence
This level of agility extends beyond third-party risk management. CISOs, chief risk officers, and the corporate board are all held accountable for the performance of their cybersecurity programmes. Yet, most organisations don’t have a way to continuously assess and communicate the ongoing state of their own organisation’s cybersecurity. When you implement a security performance management programme, you can find out how secure your organisation really is, compare your security posture to industry averages, allocate resources effectively, and start having data-driven conversations about cybersecurity with key stakeholders.
Are you ready for the “new normal”?
As cybersecurity enters a possible “new normal,” the onus is on the executive team to be prepared to weather the storm(s). The best way to do this is to shine a light on your vendor’s security blind spots while assessing your own vulnerabilities and measuring the performance of your own cybersecurity programme to avoid your own week from hell.